Turn on or enable BIND DNS server logging to see all queries or for troubleshooting problem

Posted on in Categories , , last updated June 26, 2007

Q. How do I turn on DNS server logging so that I can see all the queries on my CentOS 4.0 server?

A. You can use rndc command which controls the operation of a name server. It supersedes the ndc utility that was provided in old BIND releases. If rndc is invoked with no command line options or arguments, it prints a short summary of the supported commands and the available options and their arguments.

rndc communicates with the name server over a TCP connection, sending commands authenticated with digital signatures. In the current versions of rndc and named named the only supported authentication algorithm is HMAC-MD5, which uses a shared secret on each end of the connection. This provides TSIG-style authentication for the command request and the name server\u2019s response. All commands sent over the channel must be signed by a key_id known to the server.

Task: Turn on logging

Type the following command as root to toggle query logging:
# rndc querylog

Task: View bind sever query log

Once this is done, you can view all logged queries usimg /var/log/messages file. To view those queries, type:
# tail -f /var/log/messages

Task: Turn off logging

Type the following command as root to toggle query logging:
# rndc querylog

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin and a trainer for the Linux operating system/Unix shell scripting. He has worked with global clients and in various industries, including IT, education, defense and space research, and the nonprofit sector. Follow him on Twitter, Facebook, Google+.

Share this on (or read 11 comments/add one below):

11 comment

  4. is there any program or service to monitoring witch domain name is used and querying by any client.

    I want to a linux bind9 dns query log analyser etc.

    1. Use dig by installing dnsutils… [http://packages.ubuntu.com/trusty/dnsutils]

      example output
      $ dig google.com

      ; <> DiG 9.9.5-3ubuntu0.8-Ubuntu <> google.com
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41256
      ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

      ;; OPT PSEUDOSECTION:
      ; EDNS: version: 0, flags:; udp: 512
      ;; QUESTION SECTION:
      ;google.com. IN A

      ;; ANSWER SECTION:
      google.com. 299 IN A 216.58.216.46

      ;; Query time: 43 msec
      ;; SERVER: 127.0.1.1#53(127.0.1.1)
      ;; WHEN: Sat Apr 30 02:15:17 PDT 2016
      ;; MSG SIZE rcvd: 55

      and nmap for ports
      $ nmap google.com

      Starting Nmap 6.40 ( http://nmap.org ) at 2016-04-30 02:17 PDT
      Nmap scan report for google.com (216.58.216.46)
      Host is up (0.0043s latency).
      rDNS record for 216.58.216.46: lax02s22-in-f46.1e100.net
      Not shown: 998 filtered ports
      PORT STATE SERVICE
      80/tcp open http
      443/tcp open https

      Nmap done: 1 IP address (1 host up) scanned in 4.04 seconds

  5. In the case of debian system like mine (wheezy), I had to tail /var/log/syslog instead of /var/log/messages :)

  8. Is there a way to redirect the rndc querylog to a separate log file (where just the queries can be reside) inside of system-journal and /var/log/messages?

    This is in CentOS 7.x with chroot’ed bind.

    thanks

  9. Just thought I’d add a thanks to this. I installed ntop and discovered massive spikes on UDP – by enabling this log (I didn’t know it was disabled by default) I discovered a DNS amplification attack (DDOS) on my server because I had recursion enabled in the named.conf file (my bad). Without viewing the log I would be left head scratching where the traffic was coming from.

    Have a question? Post it on our forum!

Tagged as: Tags , , , , , ,